The Bandera Perspective This talk will focus on Bandera and Cadena - - PDF document

1

Software Model-checking:

The SAnToS/Bandera Perspective

http://www.cis.ksu.edu/bandera

Matt Dwyer John Hatcliff Principal Investigators Support

US National Science Foundation (NSF) US National Aeronautics and Space Agency (NASA) US Department of Defense Advanced Research Projects Agency (DARPA) US Army Research Office (ARO) Rockwell-Collins ATC Honeywell Technology Center and NASA Langley Sun Microsystems Intel

SAnToS Laboratory, Kansas State University, USA Postdocs and Students

Radu I osif Hongjun Zheng Corina Pasareanu Georg Jung Robby Venkatesh Ranganath Oksana Tkachuk William Deng

The Bandera Perspective

Java PathFinder – JPF (NASA Ames) SLAM Project (Microsoft Research) BLAST Project (U. Berkeley) FeaVer Project (Lucent/Bell Labs) Alloy (MIT)

This talk will focus on Bandera and Cadena and will give the Bandera/SAnToS perspective on software model-checking

For other perspectives see…

2

Goals of the Project

• II. Integration with commonly used design notations, methods, and processes

… UML artifacts, CCM e.g., checking, specification … automatic generation of synchronization code with dedicated checking

• I. Provide platform for construction of and experimentation with

technologies for model-checking concurrent Java software

… property specification languages e.g., temp logic, state machines … model-reduction techniques e.g., abstraction, slicing, compiler-based optimizations … model-checking engines e.g., explicit -state, symbolic

• III. Evaluation using safety-critical military and civilian applications as well as

non-critical popular open-source software

… integration with development and certification of safety-critical systems.

In This Talk…

Challenges in model-checking software and

how Bandera addresses these (30 minutes)

Overview of Bandera tool architecture and

functionality of primary components (40 minutes)

• -- break ---

Specification Patterns (20 minutes) Modeling Avionics Software (40 minutes) Conclusions (10 minutes)

3

Goals

Draw connections with earlier lectures

and explain how various concepts and techniques are similar/different in software

Highlight hard open problems related to

software model-checking

Share what I think are future trends in

software model-checking and why we as a community have some reasons for being optimistic

Model Checking

OK

• r

Finite-state model Temporal logic formula Model Checker

(Φ Ω)

Error trace

Li ne 5: … Li ne 12: … Li ne 15: … Li ne 21: … Li ne 25: … Li ne 27: … … Li ne 41: … Li ne 47: …

4

What makes model-checking software difficult?

OK

Error trace

• r

Finite-state model Temporal logic formula Model Checker

(Φ Ω)

State explosion

Problems using existing checkers:

Property specification Output interpretation

Li ne 5: … Li ne 12: … Li ne 15: … Li ne 21: …

Model Construction

Model Construction Problem

Model Description Model Checker Program

voi d a dd( Obj e c t o) { buf f e r [ he a d] = o; he a d = ( he a d+1) % s i z e ; } Obj e c t t a ke ( ) { … t a i l =( t a i l +1) % s i z e ; r e t ur n buf f e r [ t a i l ] ; }

Gap

methods, inheritance, dynamic creation, exceptions, etc. automata

Programming Languages Model Description Languages

Semantic gap:

5

Model Construction Problem

Due to state explosion,

model-checking should not be applied to an entire code base, but rather to a unit

Unit

Code Base

In OO software,

boundaries between units are usually messy!

• references flow out of unit,

and external components can change state of

• bjects created in unit
• call-backs (in all GUI code)
• tedious to identify

interaction points and define stubs/drivers

What makes model-checking software difficult?

OK

Error trace

• r

Finite-state model Temporal logic formula Model Checker

(Φ Ω)

State explosion

Problems using existing checkers:

Property specification Output interpretation

Li ne 5: … Li ne 12: … Li ne 15: … Li ne 21: …

Model Construction

6

“Between the window open and the window close, button X can be pushed at most twice.”

[ ] ( ( ope n / \ <>c l os e ) - > ( ( ! pus hX / \ ! c l os e ) U ( c l os e \ / ( ( pus hX / \ ! c l os e ) U ( c l os e \ / ( ( ! pus hX / \ ! c l os e ) U ( c l os e \ / ( ( pus hX / \ ! c l os e ) U ( c l os e \ / ( ! pus hX U c l os e ) ) ) ) ) ) ) ) ) )

…is rendered in LTL as...

Difficult to formalize a requirement in temporal logic

Property Specification Problem

( ( ( _c ol l e c t ( he ap_b) == 1) \ & & ( Bounde dBuf f e r _c ol . i ns t anc e [ _i nde x( he ap _b) ] . he ad == Bounde dBuf f e r_c ol . i ns t anc e [ _i nde x( he ap _b) ] . t ai l ) ) \ | | ( ( _c ol l e c t ( he ap _b) == 3) \ & & ( Bounde dBuf f e r _ c ol _0. i ns t anc e [ _i nde x( he ap _b) ] . he ad == Bounde dBuf f e r_ col _0. i ns t anc e [ _i nde x( he ap _b) ] . t ai l ) ) \ | | ( ( _c ol l e c t ( he ap _b) == 0) & & TRAP) )

He a p. b. he a d == He a p. b. t a i l

Forced to state property in terms of model rather than source

We want to write source level specifications... We are forced to write model level specifications...

Property Specification Problem

7

Requirement:

I f a buf f e r i ns t a nc e be c om e s f ul l , i t wi l l e ve nt ua l l y be c om e non - f ul l .

Consider multiple instances of a bounded buffer class... In general, a heap object has no program-level name that persists throughout the lifetime of the object.

b1 b2 b3

Variables Heap object

Property Specification Problem

Complications arise due to the dynamic nature of OO software

What makes model-checking software difficult?

OK

Error trace

• r

Finite-state model Temporal logic formula Model Checker

(Φ Ω)

State explosion

Problems using existing checkers:

Property specification Output interpretation

Li ne 5: … Li ne 12: … Li ne 15: … Li ne 21: …

Model Construction

8

State Explosion Problem

Moore’s law and algorithm advances can help

Holzmann: 7 days (1980) = = > 7 seconds (2000)

Explosive state growth in software

limits scalability

blah, blah, blah …

What makes model-checking software difficult?

OK

Error trace

• r

Finite-state model Temporal logic formula Model Checker

(Φ Ω)

State explosion

Problems using existing checkers:

Property specification Output interpretation

Li ne 5: … Li ne 12: … Li ne 15: … Li ne 21: …

Model Construction

9

Output Interpretation Problem

Model Description Program

voi d a dd( Obj e c t o) { buf f e r [ he a d] = o; he a d = ( he a d+1) % s i z e ; } Obj e c t t a ke ( ) { … t a i l =( t a i l +1) % s i z e ; r e t ur n buf f e r [ t a i l ] ; }

Gap

Error trace

Li ne 5: … Li ne 12: … Li ne 15: … Li ne 21: … Li ne 25: … Li ne 27: … … Li ne 41: … Li ne 47: …

Must map line listing onto model description Mapping to source is made difficult by

Semantic gap & clever encodings of complex features multiple optimizations and transformations

Raw error trace may be 1000’s of steps long

Over-approximations in abstractions may yield infeasible error traces (how to decide if feasible or not?)

Graphical User Interface

Bandera:

An open tool set for model-checking Java source code Checker Inputs Checker Outputs

Optimization Control

Transformation & Abstraction Tools

Model Checkers Java Source

voi d a dd( Obj e c t o) { buf f e r [ he a d] = o; he a d = ( he a d+1) % s i z e ; } Obj e c t t a ke ( ) { … t a i l =( t a i l +1) % s i z e ; r e t ur n buf f e r [ t a i l ] ; }

Bandera Temporal Specification Error Trace Mapping

Bandera

10

Addressing the

Model Construction Problem

Numerous analyses, optimizations,

two intermediate languages, multiple back-ends

Slicing, abstract interpretation, specialization Variety of usage modes: simple...highly tuned

Model extraction: compiling to model checker inputs:

Java Source Model Description Model Compiler

Static Analyses Abstract I nterpretation Slicing Optimizations

voi d a dd( Obj e c t o) { buf f e r [ he a d] = o; he a d = ( he a d+1) % s i z e ; } Obj e c t t a ke ( ) { … t a i l =( t a i l +1) % s i z e ; r e t ur n buf f e r [ t a i l ] ; }

Addressing the

Model Construction Problem

Unit

Code Base

Identify classes in unit

Bandera Environment

Generation Tools

Automatically finds points of

interaction (where unit calls

• utside classes or is called

itself)

11

Addressing the

Model Construction Problem

Unit

Code Base

Identify classes in unit

Bandera Environment

Generation Tools

Driver

Automatically generates

driver (generates calls to unit based on regular expression

• r LTL formula)

Stubs

Automatically generates stubs

Closed Unit

Automatically finds points of

interaction (where unit calls

• utside classes or is called

itself)

Cuts away non-unit classes Java encoding of state-machine

Addressing the

Property Specification Problem

An extensible language based on field-tested temporal property specification patterns

Using the pattern system: 2-bounded existence Between { open} and { close} { pushX} exists atMost { 2} times;

[ ] ( ( ope n / \ <>c l os e ) - > ( ( ! pus hX / \ ! c l os e ) U ( c l os e \ / ( ( pus hX / \ ! c l os e ) U ( c l os e \ / ( ( ! pus hX / \ ! c l os e ) U ( c l os e \ / ( ( pus hX / \ ! c l os e ) U ( c l os e \ / ( ! pus hX U c l os e ) ) ) ) ) ) ) ) ) )

12

Result: multiple models

even as many as one per property

Aggressive customization via slicing, abstract

interpretation, program specialization

Java Source

voi d a dd( Obj e c t o) { b u f f e r [ h e a d ] = o ; h e a d = ( h e a d +1 ) % s i z e ; } …

Model Descriptions Model Compiler Property

Generate models customized wrt property!

Addressing the

State Explosion Problem

Model Compiler

Model Checker

Intermediate Representations

Error trace

Li ne 5: … Li ne 12: … Li ne 15: … Li n e 21: …

Model Description

+ simulator

Java Source

voi d a dd( Obj e c t o) { buf f e r [ he a d] = o; he a d = ( he a d+1) % s i z e ; } Obj e c t t a ke ( ) { … t a i l =( t a i l +1) % s i z e ; r e t ur n buf f e r [ t a i l ] ; }

Run error traces forwards and backwards Program state queried Heap structures navigated & visualized Locks, wait sets, blocked sets displayed

Like a debugger: error traces mapped back to source

Addressing the

Output Interpretation Problem

13

Bandera Architecture

BIRC BIR Simulator Abstraction Engine Slicer Analyses Translators

SPIN

HSF-SPIN

dSPIN SMV JPF

Jimple Property Tool Java Parser Error Trace Display

Bounded Buffer

c l a s s Bounde dBuf f e r { Obj e c t [ ] buf f e r ; i nt he a d; / * ne xt a va i l a bl e s l ot */ i nt t a i l ; / * l a s t a va i l a bl e s l ot */ i nt bound; / * m a x # of e l e m e nt s */ publ i c Bounde dBuf f e r ( i nt b) {… } publ i c s ync hr oni z e d bool e a n i s Em pt y ( ) {… } publ i c s ync hr oni z e d voi d a dd( Obj e c t o) {… } publ i c s ync hr oni z e d Obj e c t t a ke ( ) {… } } Initialization

he ad t ai l

Add,Add

he ad t ai l

Add,Take,Take

he ad t ai l

14

Property Specification

c l a s s Bounde dBuf f e r { Obj e c t [ ] buf f e r ; i nt he a d, t a i l , bound; publ i c s ync hr oni z e d voi d a dd( Obj e c t o) {… } publ i c s ync hr oni z e d Obj e c t t a ke ( ) {… } }

Requirement: If a buffer becomes full, it will eventually become non-full. Bandera Specification: FullToNonFull: {Full(b)} leads to {!Full(b)} globally;

/ ** * @

• bs e r va bl e

* EXP Ful l : ( he a d == t a i l ) ; */

forall[b:BoundedBuffer].

Property Specification

Requirement: Empty buffers must added to before being taken from Bandera Specification:

NoTa ke W hi l e Em pt y: {t a ke . Re t ur n( b) } i s a bs e nt a f t e r {Em pt y( b) } unt i l {a dd. Ca l l ( b) }; f or a l l [ b: Bounde dBuf f e r ] .

/ ** * @

• bs ervabl e

* EXP Em pt y: * head == ( ( t ai l +1) % bound) ; */ c l as s BoundedBuf f er { i nt head, t ai l , bound; publ i c s ynchroni zed voi d add( O bj ect o) { … } publ i c s ynchroni zed O bj e c t t ake ( ) { … } } / ** * @

• bs ervabl e I NVO

K E Cal l ; */ / ** * @

• bs ervabl e RETURN Ret urn;

*/

15

Quantification

forall[b:BoundedBuffer].P(b)

Solution Quantified set BoundedBuffer is not fixed

varies within executions varies across executions add a state variable (for b) that will eventually

be bound non-deterministically to each instance

by enabling checking of the formula only

when variable is bound to an instance

Quantification (Cont’d)

( ! s e l e c t e d U ( s e l e c t e d & & P( b) ) ) | | [ ] ! s e l e c t e d ( ! s e l e c t e d U ( s e l e c t e d & & P( b) ) ) | | [ ] ! s e l e c t e d [ ] ! s e l e c t e d ( ! s e l e c t e d ( s e l e c t e d & & P( b) ) )

ne w Bounde dBuf f e r ( n) ne w Bounde dBuf f e r ( m ) ne w Bounde dBuf f e r ( m ) ne w Bounde dBuf f e r ( k)

!selected !selected !selected !selected

ne w Bounde dBuf f e r ( m )

2 2

ne w Bounde dBuf f e r ( n)

1 1

ne w Bounde dBuf f e r ( k)

3 3

Original Model Augmented Model

selected 1 1 selected 1 1 selected 1 1 selected 2 2 selected 2 2 selected 3 3

ne w Bounde dBuf f e r ( k) ne w Bounde dBuf f e r ( k)

16

Quantification (Cont’d)

c l a s s Bounde dBuf f e r { Obj e c t [ ] buf f e r ; i nt he a d, t a i l , bound; publ i c Bounde dBuf f e r ( i nt n) { . . . } } c l a s s he a p { publ i c s t a t i c Bounde dBuf f e r b; } c l a s s Bounde dBuf f e r { Obj e c t [ ] buf f e r ; i nt he a d, t a i l , bound; publ i c Bounde dBuf f e r ( i nt n) { . . . i f ( he a p. b == nul l & & Ba nde r a . c hoos e ( ) ) { he a p. b = t hi s ; } } }

Original Model Augmented Model

Quantification (Cont’d)

forall[b:BoundedBuffer]. {Full(b)} leads to {!Full(b)} globally;

( he ap. b == nul l U ( he ap. b ! = nul l & & ( [ ] ( he ap. b. he ad == he ap. b. t ai l ) - > <>( he ap. b. he ad ! = he ap. b. t ai l ) ) ) ) | | [ ] ( he ap. b == nul l )

Bandera compiles to…

17

Front End

publ i c s ynchroni zed voi d add( O bj ect o) { whi l e ( t ai l == head ) t ry { wai t ( ) ; } cat ch ( I nt errupt edExcept i on e x) { } buf f er[ head] = o; head = ( head+1) % bound; not i f yAl l ( ) ; }

Java

publ i c s ynchroni zed voi d add( j ava. l ang. O bj ect ) { T$0 : = @ t hi s ;

• : = @

param et er0; ent erm

• ni t or T$0;

l abel 0: got o l abel 4; l abel 1: vi rt ual i nvoke T$0. [ wai t ( ) : voi d] ( ) ; T$3 = T$0. [ head: i nt ] ; T$4 = T$0. [ buf f er: O bj ect [ ] ] ; T$4[ T$3] = o;

Jimple (excerpts)

Property-directed Slicing

slicing criterion generated automatically from

• bservables mentioned in the property

Source program Resulting slice

Slice

mentioned in property mentioned in property indirectly relevant indirectly relevant backwards slicing automatically finds all

components that might influence the observables

18

Property-directed Slicing

/ ** * @

• bs ervabl e EXP Ful l : ( head == t ai l )

*/ cl as s BoundedBuf f er { O bj ect [ ] buf f er_; i nt bound; i nt head, t ai l ; publ i c s ynchroni zed voi d add( O bj ect o) { whi l e ( t ai l == head ) t ry { wai t ( ) ; } cat ch ( I nt errupt edExcept i on e x) { } buf f er_[ head] = o; head = ( head+1) % bound; not i f yAl l ( ) ; } . . . } Slicing Criterion All statements that assign to head, tail. indirectly relevant indirectly relevant removed by slicing removed by slicing Included in slicing critirion Included in slicing critirion

Abstraction Engine

i nt x = 0; i f ( x == 0) x = x + 1;

Data domains

( n<0) : ne g ( n==0) : z e r o ( n>0) : pos Si gns neg pos zer o i nt

Code

Si gns x = z e r o; i f ( x == z e r o) x = pos ;

Collapses data domains via abstract interpretation:

19

Abstraction Component Functionality

Variable Concrete Type Abstract Type I nferred Type Bandera Abstraction Specification Language

Abstraction Library

BASL Compiler PVS

Jimple

Jimple Abstraction Engine Abstracted Jimple x y done count

• b

int int bool Object Buffer int …. Signs Signs Signs intAbs Bool …. Point Buffer

Example: Start safe, then refine: + (NEG,NEG)= { NEG,ZERO,POS}

Specification Creation Tools

abs t r ac t i on Si gns abs t r ac t s i nt be gi n TOKENS = { NEG, ZERO, POS } ; abs t r ac t ( n) be gi n n < 0 - > { NEG} ; n == 0 - > { ZERO} ; n > 0 - > { POS} ; e nd

• pe r at or + add

be gi n ( NEG , NEG) - > { NEG} ; ( NEG , ZERO) - > { NEG} ; ( ZERO, NEG) - > { NEG} ; ( ZERO, ZERO) - > { ZERO} ; ( ZERO, POS) - > { POS} ; ( POS , ZERO) - > { POS} ; ( POS , POS) - > { POS} ; ( _, _) - > { NEG , ZERO , PO S} ; end

Automatic Generation Forall n1,n2: neg?(n1) and neg?(n2) implies not pos?(n1+ n2) Forall n1,n2: neg?(n1) and neg?(n2) implies not zero?(n1+ n2) Forall n1,n2: neg?(n1) and neg?(n2) implies not neg?(n1+ n2)

Proof obligations submitted to PVS...

20

Compiling In Abstractions

abs t r ac t i on Si gns abs t r ac t s i nt be gi n TOKENS = { NEG, ZERO, POS } ; abs t r ac t ( n) be gi n n < 0 - > { NEG} ; n == 0 - > { ZERO} ; n > 0 - > { POS} ; e nd

• pe r at or + add

be gi n ( NEG , NEG) - > { NEG} ; ( NEG , ZERO) - > { NEG} ; ( ZERO, NEG) - > { NEG} ; ( ZERO, ZERO) - > { ZERO} ; ( ZERO, POS) - > { POS} ; ( POS , ZERO) - > { POS} ; ( POS , POS) - > { POS} ; ( _, _) - > { NEG , ZERO , PO S} ; / * c as e ( PO S, NEG ) , ( NEG , PO S) */ end publ i c c l as s Si gns { publ i c s t at i c f i nal i nt NEG = 0; / / m as k 1 publ i c s t at i c f i nal i nt ZERO = 1; / / m as k 2 publ i c s t at i c f i nal i nt PO S = 2; / / m as k 4 publ i c s t at i c i nt abs t r ac t ( i nt n) { i f ( n < 0) r e t ur n NEG; i f ( n == 0) r e t ur n ZERO; i f ( n > 0) r e t ur n POS; } publ i c s t at i c i nt add( i nt ar g1, i nt ar g2) { i f ( ar g1==NEG & & ar g2==NEG) r e t ur n NEG; i f ( ar g1==NEG & & ar g2==ZERO) r e t ur n NEG; i f ( ar g1==ZERO & & ar g2==NEG) r e t ur n NEG; i f ( ar g1==ZERO & & ar g2==ZERO) r e t ur n ZERO; i f ( ar g1==ZERO & & ar g2==POS) r e t ur n POS; i f ( ar g1==POS & & ar g2==ZERO) r e t ur n POS; i f ( ar g1==POS & & ar g2==POS) r e t ur n POS; r e t ur n Bande r a. c hoos e ( 0, 2) ; / * c as e ( PO S, NEG ) , ( NEG , PO S) */ }

Compiled

Compiling In Abstractions

DEOS Kernel

i nt i t s Pe r i odI d = 0; . . . publ i c i nt c ur r e nt Pe r i od( ) { r e t ur n i t s Pe r i odI d; } publ i c voi d pul s e Eve nt ( . . . ) { . . . i f ( c ount Down == 0) { i t s Pe r i odI d=i t s Pe r i odI d + 1 ; . . . } c l as s St ar t of Pe r i odEve nt i nt i t s Las t Exe c ut i on ; . . . publ i c voi d s t ar t Char gi ngCPUTi m e ( ) { i nt cp=i t s Eve nt . c ur r e nt Pe r i od( ) ; i f ( c p == i t s Las t Exe c ut i on ) { . . . } c l as s Thr e ad

SI GNS SI GNS SI GNS SI GNS SI GNS SI GNS

Si gns i t s Pe r i odI d = ZERO; . . . publ i c Si gns c ur r e nt Pe r i od ( ) { r e t ur n i t s Pe r i odI d; } publ i c voi d pul s e Eve nt ( . . . ) { . . . i f ( c ount Down == 0) { i t s Pe r i odI d=Si gns . add ( i t s Pe r i odI d , POS) ; . . . } c l as s St ar t of Pe r i odEve nt Si gns i t s Las t Exe c ut i on; . . . publ i c voi d s t ar t Char gi ngCPUTi m e ( ) { Si gns c p=i t s Eve nt . c ur r e nt Pe r i od ( ) ; i f ( Si gns . e q( c p, i t s Las t Exe c ut i on ) ) { . . . } c l as s Thr e ad

DEOS Kernel (abstracted)

21

Comparing Traces Choice-bounded Search

choose()

X X

Detectable Violation U n d e t e c t a b l e V i

• l

a t i

• n

State space searched

22

Property Abstraction

System Model Property

Program Abstraction (over-approximation) Property Abstraction (under-approximation)

Goal:

If the abstract property holds on the abstract system, then the original property holds on the original system

Goal:

If the abstract property holds on the abstract system, then the original property holds on the original system

Property Abstraction

Property (LTL) is converted to negation-normal form. For each predicate (e.g., on integers) of the form P(x,c)

where x is bound to abstraction A, we replace P(x,c) by a disjunction of cases that guarantee P(x,c) to be true.

Basic Idea Examples (where x is bound to Si gns )

[](x > 0) [](x = = pos ) [](x > -2) [](x = =

z e r o | | x = = pos )

abstracted to (exactly) abstracted to ( underapproximated)

23

Heap Representation

c l a s s Pr oc e s s 1 e xt e nds Thr e a d { publ i c voi d r un( ) { . . . Obj e c t o1 = ne w Obj e c t ( ) ; . . . } } c l a s s Pr oc e s s 2 e xt e nds Thr e a d { publ i c voi d r un( ) { . . . Obj e c t o2 = ne w Obj e c t ( ) ; . . . } }

a a b b a b State Vector (heap) (first P1 then P2) Scheduling 1st 2nd

Heap Representation

c l a s s Pr oc e s s 1 e xt e nds Thr e a d { publ i c voi d r un( ) { . . . Obj e c t o1 = ne w Obj e c t ( ) ; . . . } } c l a s s Pr oc e s s 2 e xt e nds Thr e a d { publ i c voi d r un( ) { . . . Obj e c t o2 = ne w Obj e c t ( ) ; . . . } }

a a b b State Vector (heap) a b (first P1 then P2) Scheduling a b (first P2 then P1)

= =

1st 2nd

These two states should be considered equal, but they have different representations

24

Heap Issues

Different thread interleavings may cause different positioning of heap objects. This will cause observationally equivalent heaps to be considered distinct states -

• - leading to tremendous state explosion.

garbage

For avoiding state-space explosion when model-checking OO software, one needs a heap representation that identifies as many

• bservationally equivalent heaps as possible!

≅

Observationally Equivalent

but naïve representation yields distinct states

Simple Representation

c l a s s Pr oc e s s 1 e xt e nds Thr e a d { publ i c voi d r un( ) { . . . Obj e c t o1 = ne w Obj e c t ( ) ; . . . } } c l a s s Pr oc e s s 2 e xt e nds Thr e a d { publ i c voi d r un( ) { . . . Obj e c t o2 = ne w Obj e c t ( ) ; . . . } }

a a b b Structured State Vector (regions/collections) a b (first P1 then P2) Scheduling a b (first P2 then P1)

=

… … … … … …

collection for each allocator site collection for each allocator site l1 l1 l2 l2

!

=

25

Bounded Buffer BIR

proces s BoundedB ( ) BoundedBuf f er_rec = record { bound : range - 1. . 4; head : range - 1. . 4; t ai l : range - 1. . 4; BI R Lock : l ock wai t reent rant ; } ; BoundedBuf f er_col : c ol l e c t i on [ 3] of BoundedBuf f er _rec; BoundedBuf f er_col _0 : col l ect i on [ 3] of BoundedBuf f er _rec; BoundedBuf f er_r e f = ref { BoundedBuf f er_c ol , BoundedBuf f er_c ol _0 } ;

State Declarations

static identification of threads

• bject state as record

qualified lock representation Reference type indicates mini-heaps that can be pointed to. Easily express results of “points-to” analysis bounded integer values “mini-heaps” – one per allocator site

Bounded Buffer BIR

l oc s 34: l i ve { b2, b1, T_0, T_6, T_8 } when t rue do i nvi s i bl e { T_8 : = ( T_6 % T_8) ; } got o s 35; … l oc s 36: l i ve { b2, b1, T_0 } when t rue do { not i f yAl l ( T_0. BI R Lock) ; } got o s 37; … l oc s 37: l i ve { b2, b1, T_0 } when t rue do { unl ock( T_0. BI R Lock) ; } got o s 38;

control point label live variable information used to optimize back-end code annotation denoting invisible transition which can be merged with following transition built-in operations on lock representations

BIR Transitions

26

Bounded Search Strategies

Carry out depth/breadth-first search to depth k

Usual strategy

depth = k

Bounded Search Strategies

Carry out search until resources from particular classes

are exhausted

integer size, # instances at each allocator site, # processes, #

activation frames

Bandera strategy

e.g., instance bound exceeded e.g., instance bound exceeded e.g., process bound exceeded e.g., process bound exceeded

27

Bounded Buffer Promela

t ype de f Bounde dBuf f e r _r e c { t ype _8 bound; t ype _8 he ad; t ype _8 t ai l ; t ype _18 BI RLoc k; } … … l o c _ 2 5 : at om i c { pr i nt f ( "BI R: 25 0 1 OK \ n") ; i f : : ( _c ol l e c t ( T_0) == 1) - > T_8 = Bounde dBuf f e r_c ol . i ns t anc e [ _i nde x( T_0) ] . t ai l ; : : ( _c ol l e c t ( T_0) == 2) - > T_8 = Bounde dBuf f e r_ col _0. i ns t anc e [ _i nde x( T_0) ] . t ai l ; : : e l s e - > pr i nt f ( "BI R: 25 0 1 Nul l Poi nt e r Exc e pt i on\ n") ; as s e r t ( 0) ; f i ; got o l oc _26; } record implementation BI R AST markers get printed with error trail. Parsed and drive BI R simulator for counter -example display. Accessing mini-heaps for buffer tail component.

dSpin Backend

Different thread interleavings may cause different positioning of heap objects. This will cause observationally equivalent heaps to be considered distinct states -

• - leading to tremendous state explosion.

≅

Observationally Equivalent

garbage

Canonical Heap (fully abstract)

garbage collection & canonical ordering on

• bjects based on

lexicographical order on field names in reachability chain

28

Case Study

A real-time operating system for integrated modular

avionics systems

Demonstration artifact for NASA Langley funded project

• n incorporating formal methods in FAA certification

DEOS Scheduler: non-trivial concurrent Java program:

1443 lines of code, 20 classes, 6 threads Honeywell Digital Engine Operating System (DEOS)

Verification of Abstracted DEOS

Bandera Abstraction & JPF

Bandera’s dependence graph used to identify relevant controlling

conditional expressions

produced a 464 step counter-example

Using non-determinism bounded search

found a guaranteed feasible 318 step counter-example

After fixing the bug, the requirement was verified

~ 15 min

Applicat ion pr ocesses ar e guar ant eed t o be scheduled f or t heir budget ed t ime dur ing a scheduling unit (known bug)

Time P art it ioning Requirement :

29

Summary

• Designed for extensibility

Well-defined internal representations and interfaces

• We hope this will contribute to the definition of APIs for softw are model-

checkers and associated tools

• Tutorial, example repository, lecture slides, etc. on web-site
• Current release is useable on relatively small examples, but not

robust enough for industrial use or large semester-long projects.

• Updated, more robust implementation in mid-September and mid-

November

• Complete rewrite of tool to obtain robust implementation with very

good user-interface coming early 2003.

Bandera is an open platform for experimentation Bandera is an open platform for experimentation

Challenging Open Problems

Compositional model-checking for

concurrent OO systems

Issues with references, dynamic data make

the OO setting light-years beyond settings used in current foundational work

If we scale down the properties we want to

check (e.g., to interface protocols) then there is more hope.

30

Challenging Open Problems

Automated abstraction and refinement

techniques in the presence of dynamically allocated data and concurrency

SLAM and BLAST have shown how automated

abstraction and refinement can be effective for sequential code with primarily integer manipulation.

Work on three-valued logic (TVLA) provides a

nice foundation for heap-abstraction, but automated counter-example driven refinement is still a challenge.

Strategies for Moving Forward

Trojan-horse formal methods, e.g.

FDR/Refinement checking in UML RT SLAM in device-driver certification tool-kit Software model-checkers integrated with robust

testing and debugging infrastructures

Combine model-checking of design artifacts

(these provide system abstractions) with refinement checking of code against designs

In large systems, getting the overall design correct is

more difficult/important than crunching out the implementation of your classes

Tools like a scaled-up Alloy attached to UML or other

design artifacts could be very useful